CVE-2024-10979
Nov. 25, 2024, 5:15 a.m.
Tags
CVSS Score
Product(s) Impacted
PostgreSQL
- before 17.1
- before 16.5
- before 15.9
- before 14.14
- before 13.17
- before 12.21
Description
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Weaknesses
CWE-15
External Control of System or Configuration Setting
One or more system settings or configuration elements can be externally controlled by a user.
CWE ID: 15Date
Published: Nov. 14, 2024, 1:15 p.m.
Last Modified: Nov. 25, 2024, 5:15 a.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
Exploitability Score
Impact Score
Base Severity
HIGHCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H